These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
CVE-2026-27647 affects a Mobility46 WebSocket backend that relies on charging station identifiers to associate sessions. Because multiple endpoints can connect using the same session identifier, a newer connection can displace the legitimate station and receive backend commands intended for it. CISA describes the result as session hijacking or shadowing, with potential unauthorized authentication and deni [truncated]
CVE-2026-27028 is a critical authentication flaw in Mobility46/mobility46.se OCPP WebSocket endpoints. According to the CISA CSAF advisory, an attacker who knows or discovers a charging-station identifier can connect without authentication, impersonate a legitimate charger, and issue or receive OCPP commands. The result can be unauthorized control of charging infrastructure, privilege escalation, and corr [truncated]
CVE-2026-26305 is a network-reachable rate-limiting weakness in a WebSocket Application Programming Interface associated with Mobility46 mobility46.se. CISA says the API accepts unrestricted authentication requests, which may let an attacker suppress or mis-route legitimate charger telemetry, trigger denial-of-service conditions, or brute-force credentials for unauthorized access. The advisory was initial [truncated]
CVE-2026-22878 is an information-disclosure issue affecting Mobility46/mobility46.se where charging station authentication identifiers are publicly accessible via web-based mapping platforms. The advisory is dated 2026-02-26 and assigns a CVSS v3.1 score of 6.5 (Medium). Based on the supplied advisory text, the primary concern is unintended exposure of identifiers rather than service outage.